From peter.grundl@DEFCOM.COM Tue Jan 23 00:10:58 2001
From: "Peter [iso-8859-1] Gründl"
X-Sender: prg@astral.defcom.com
To: BUGTRAQ@SECURITYFOCUS.COM
Date: Mon, 22 Jan 2001 13:30:33 +0100
Subject: [BUGTRAQ] def-2001-05: Netscape Fasttrack Server Caching DoS
[The following text is in the "iso-8859-1" character set]
[Your display is set for the "US-ASCII" character set]
[Some characters may be displayed incorrectly]
======================================================================
Defcom Labs Advisory def-2001-05
Netscape Fasttrack Server Caching DoS
Author: Peter Gründl
Release Date: 2001-01-22
======================================================================
------------------------=[Brief Description]=-------------------------
The Fasttrack 4.1 server has problems with its caching module. The
problem can result in all the server memory being consumed and thus
causing the server to perform very sluggishly.
------------------------=[Affected Systems]=--------------------------
- Netscape Fasttrack Server 4.1 for Windows NT 4.0
----------------------=[Detailed Description]=------------------------
The Fasttrack 4.1 server caches requests for non-existing URLs with
valid extensions (eg. .html). The cached ressources are not freed
again (at least not after half an hour), so a malicious user could
cause the web server to perform very sluggishly, simply by requesting
a lot of non-existing html-documents on the web server.
---------------------------=[Workaround]=-----------------------------
None known.
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 7th of
December, 2000. Vendor replied that the Fasttrack server is not meant
for production environments and as that, the issue will not be fixed.
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================